extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-03 03:59:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update URLs to tcrules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2015-10-04 08:20:33 -07:00
parent fed6e7c352
commit 0385b2cd37
6 changed files with 42 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/MultiISP.xml
View File

@ -926,7 +926,7 @@ MARK(2) $FW 0.0.0.0/0 tcp 25</programlisting>
<para>If you are running a Shorewall version earlier than 4.6.0, the
above rules in <ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>
would be:</para>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER TEST
@ -1771,7 +1771,7 @@ ISP2 2 2 - eth1 130.252.99.254 track
except when you explicitly direct it to use the other provider via
<ulink url="manpages/shorewall-rtrules.html">shorewall-rtrules</ulink>
(5) or <ulink
url="manpages/shorewall-tcrules.html">shorewall-mangle</ulink>
url="manpages4/manpages/shorewall-tcrules.html">shorewall-mangle</ulink>
(5).</para>
<para>Example (send all traffic through the 'shorewall' provider unless
@ -1950,7 +1950,7 @@ ONBOOT=yes</programlisting>
url="manpages/shorewall-providers.html">shorewall-providers</ulink> (5)
is available in the form of a PROBABILITY column in <ulink
url="manpages/shorewall-mangle.html">shorewall-mangle</ulink>(5) (<ulink
url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
url="manpages4/manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>) (5).
This feature requires the <firstterm>Statistic Match</firstterm>
capability in your iptables and kernel.</para>

4
docs/PacketHandling.xml
View File

@ -186,7 +186,7 @@
<itemizedlist>
<listitem>
<para>Packets are marked based on the contents of your
<filename>/etc/shorewall/tcrules</filename> file and the setting of
<filename>/etc/shorewall/mangle</filename> file and the setting of
MARK_IN_FORWARD_CHAIN in
<filename>/etc/shorewall/shorewall.conf</filename>. This occurs in the
<emphasis role="bold">tcfor</emphasis> chain of the
@ -261,7 +261,7 @@
<listitem>
<para>Packets are marked based on the contents of your
<filename>/etc/shorewall/tcrules</filename> file. This occurs in the
<filename>/etc/shorewall/mangle</filename> file. This occurs in the
<emphasis role="bold">tcout</emphasis> chain of the
<emphasis>mangle</emphasis> table.</para>
</listitem>

4
docs/QOSExample.xml
View File

@ -289,9 +289,9 @@ ip link set ifb0 up</programlisting>
</section>
<section>
<title>/etc/shorewall/tcrules</title>
<title>/etc/shorewall/mangle</title>
<para>The tcrules file classifies upload packets:</para>
<para>The mangle file classifies upload packets:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST SOURCE USER TEST
# PORT(S) PORT(S)

3
docs/Shorewall_Squid_Usage.xml
View File

@ -248,7 +248,8 @@ MARK(202):P eth1:!192.168.1.3 0.0.0.0/0 tcp 80</programlisting>
<para>If you are still using a tcrules file, you should consider
switching to using a mangle file (<command>shorewall update
-t</command> will do that for you). Corresponding
-t</command> (<command>shorewall update</command> on
Shorewall 5.0 and later) will do that for you). Corresponding
/etc/shorewall/tcrules entries are:</para>
<programlisting>#MARK SOURCE DEST PROTO DEST

6
docs/Shorewall_and_Routing.xml
View File

@ -91,7 +91,7 @@
<para>Packets may be marked using entries in the <ulink
url="manpages/shorewall-mangle.html">/etc/shorewall/mangle</ulink>
(<ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
file. Entries in that file containing ":P" in the mark column are
applied here as are rules that default to the
MARK_IN_FORWARD_CHAIN=No setting in
@ -145,9 +145,9 @@
<orderedlist>
<listitem>
<para>Packets may be marked using entries in the <ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink>
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/mangle</ulink>
(<ulink
url="manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
url="manpages4/manpages/shorewall-tcrules.html">/etc/shorewall/tcrules</ulink>)
file (rules with "$FW" in the SOURCE column). These marks may be
used to specify that the packet should be re-routed using an
alternate routing table.</para>

58
docs/traffic_shaping.xml
View File

@ -184,7 +184,7 @@
you set WIDE_TC_MARKS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
assign packet marks to different types of traffic using entries in the
<filename>/etc/shorewall/tcrules</filename> file (Shorewall 4.6.0 or
<filename>/etc/shorewall/mangle</filename> file (Shorewall 4.6.0 or
later) or <filename>/etc/shorewall/tcrules</filename> (Prior to
Shorewall 4.6.0).</para>
@ -202,7 +202,7 @@
<para>One class for each interface must be designated as the
<firstterm>default class</firstterm>. This is the class to which unmarked
traffic (packets to which you have not assigned a mark value in
<filename>/etc/shorewall/tcrules</filename>) is assigned.</para>
<filename>/etc/shorewall/mangle</filename>) is assigned.</para>
<para>Netfilter also supports a mark value on each connection. You can
assign connection mark values in
@ -226,10 +226,10 @@
<para>This screen shot shows how I configured QoS in a 2.6.16
Kernel:</para>
<graphic align="center" fileref="images/traffic_shaping2.6.png" />
<graphic align="center" fileref="images/traffic_shaping2.6.png"/>
<para>And here's my recommendation for a 2.6.21 kernel:<graphic
align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
</section>
<section id="Shorewall">
@ -501,7 +501,7 @@
</itemizedlist>
<example id="Example0">
<title></title>
<title/>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
interface for this. The device has an outgoing bandwidth of 500kbit
@ -839,13 +839,13 @@ ppp0 6000kbit 500kbit</programlisting>
<para>Also unlike rules in the <ulink
url="manpages/shorewall-rules.html">shorewall-rules</ulink>(5) file,
the tcrules file is not stateful. So every packet that goes into, out
of or through your firewall is subject to entries in the tcrules
file.</para>
the mangle (tcrules) file is not stateful. So every packet that goes
into, out of or through your firewall is subject to entries in the
mangle (tcrules) file.</para>
<para>Because tcrules are not stateful, it is necessary to understand
basic IP socket operation. Here is an edited excerpt from a post on
the Shorewall Users list:<blockquote>
<para>Because mangle (tcrules) entries are not stateful, it is
necessary to understand basic IP socket operation. Here is an edited
excerpt from a post on the Shorewall Users list:<blockquote>
<para>For the purposes of this discussion, the world is separated
into clients and servers. Servers provide services to
clients.</para>
@ -898,10 +898,12 @@ ppp0 6000kbit 500kbit</programlisting>
</important>
<para>The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The <quote>/etc/shorewall/tcrules</quote>
file is used for specifying these marks in a tabular fashion. For an
in-depth look at the packet marking facility in Netfilter/Shorewall,
please see <ulink url="PacketMarking.html">this article</ulink>.</para>
packets for traffic shaping. The
<filename>/etc/shorewall/mangle</filename>
(<filename>/etc/shorewall/tcrules</filename>) file is used for
specifying these marks in a tabular fashion. For an in-depth look at the
packet marking facility in Netfilter/Shorewall, please see <ulink
url="PacketMarking.html">this article</ulink>.</para>
<para><emphasis role="bold">For marking forwarded traffic, you must
either set MARK_IN_FORWARD_CHAIN=Yes shorewall.conf or by using the :F
@ -914,7 +916,7 @@ ppp0 6000kbit 500kbit</programlisting>
<para>The following examples are for the mangle file.</para>
<example id="Example1">
<title></title>
<title/>
<para>All packets arriving on eth1 should be marked with 1. All
packets arriving on eth2 and eth3 should be marked with 2. All packets
@ -928,7 +930,7 @@ MARK(3) $FW 0.0.0.0/0 all</programlisting>
</example>
<example id="Example2">
<title></title>
<title/>
<para>All GRE (protocol 47) packets destined for 155.186.235.151
should be marked with 12.</para>
@ -938,7 +940,7 @@ MARK(12):T 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
<example id="Example3">
<title></title>
<title/>
<para>All SSH request packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</para>
@ -948,7 +950,7 @@ MARK(22):T 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
<example id="Example4">
<title></title>
<title/>
<para>All SSH packets packets going out of the first device in in
/etc/shorewall/tcdevices should be assigned to the class with mark
@ -961,7 +963,7 @@ CLASSIFY(1:110) 0.0.0.0/0 0.0.0.0/0 tcp - 22</
</example>
<example id="Example5">
<title></title>
<title/>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
peer traffic with packet mark 4.</para>
@ -994,7 +996,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - -
</example>
<example>
<title></title>
<title/>
<para>Mark all forwarded VOIP connections with connection mark 1 and
ensure that all VOIP packets also receive that mark (assumes that
@ -1305,15 +1307,15 @@ ppp0 3 2*full/10 8*full/10 2</programlisting>
</section>
<section id="realtcr">
<title>tcrules file</title>
<title>mangle file</title>
<programlisting>#ACTION SOURCE DEST PROTO PORT(S) CLIENT USER
# PORT(S)
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
1:F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-request
MARK(1):F 0.0.0.0/0 0.0.0.0/0 icmp echo-reply
# mark traffic which should have a lower priority with a 3:
# mldonkey
3 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting>
MARK(3):F 0.0.0.0/0 0.0.0.0/0 udp - 4666</programlisting>
<para>Wondershaper allows you to define a set of hosts and/or ports
you want to classify as low priority. To achieve this , you have to
@ -1343,7 +1345,7 @@ NOPRIOPORTSRC="6662 6663"
NOPRIOPORTDST="6662 6663" </programlisting>
<para>This would result in the following additional settings to the
tcrules file:</para>
mangle file:</para>
<programlisting>MARK(3) 192.168.1.128/25 0.0.0.0/0 all
MARK(3) 192.168.3.28 0.0.0.0/0 all
@ -1602,13 +1604,13 @@ ip link set ifb0 up</command></programlisting>
<para>While this file was created to allow shaping of traffic through an
IFB, the file may be used for general traffic classification as well.
The file is similar to <ulink
url="shorewall-tcrules.html">shorewall-mangle</ulink>(5) with the
url="shorewall-mangle.html">shorewall-mangle</ulink>(5) with the
following key exceptions:</para>
<itemizedlist>
<listitem>
<para>The first match determines the classification, whereas in the
tcrules file, the last match determines the classification.</para>
mangle file, the last match determines the classification.</para>
</listitem>
<listitem>